{"url":"http://public2.vulnerablecode.io/api/packages/187995?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.1.3p2","type":"composer","namespace":"laminas","name":"laminas-diactoros","version":"2.1.3p2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.18.1","latest_non_vulnerable_version":"2.25.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110487?format=json","vulnerability_id":"VCID-fr6v-6ctc-13aj","summary":"Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack\n### Impact\n\nApplications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\\Diactoros\\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning.\n\n### Patches\n\nAny version after 2.11.0.\n\nStarting in laminas/laminas-diactoros 2.11.1, we have added `Laminas\\Diactoros\\ServerRequestFilter\\FilterServerRequestInterface`, which defines the single method `__invoke(Psr\\Http\\Message\\ServerRequestInterface $request): Psr\\Http\\Message\\ServerRequestInterface`. Filters implementing this interface allow modifying and returning a generated `ServerRequest`.\n\nThe primary use case of the interface is to allow modifying the generated URI based on the presence of headers such as `X-Forwarded-Host`. When operating behind a reverse proxy, the `Host` header is often rewritten to the name of the node to which the request is being forwarded, and an `X-Forwarded-Host` header is generated with the original `Host` value to allow the server to determine the original host the request was intended for. (We have always examined the `X-Forwarded-Proto` header; as of Diactoros 2.11.1, we also examine the `X-Forwarded-Port` header.) To accommodate this use case, we created Laminas\\Diactoros\\ServerRequestFilter\\FilterUsingXForwardedHeaders.\n\nDue to potential security issues, it is generally best to only accept these headers if you trust the reverse proxy that has initiated the request.\n(This value is found in `$_SERVER['REMOTE_ADDR']`, which is present as `$request->getServerParams()['REMOTE_ADDR']` within PSR-7 implementations.) `FilterUsingXForwardedHeaders` provides named constructors to allow you to trust these headers from any source (which has been the default behavior of Diactoros since the beginning), or to specify specific IP addresses or CIDR subnets to trust, along with which headers are trusted.\n\n`Laminas\\Diactoros\\ServerRequestFactory::fromGlobals()` was updated to accept a `FilterServerRequestInterface` as an additional, optional argument. Since the `X-Forwarded-*` headers do have valid use cases, particularly in clustered environments using a load balancer, to prevent backwards compatibility breaks, if no filter is provided, we generate an instance via `FilterUsingXForwardedHeaders::trustReservedSubnets()`, which generates an instance marked to trust only proxies on private subnets.\n\n### Workarounds\n\nInfrastructure or DevOps can configure web servers to reject `X-Forwarded-*` headers at the web server level.\n\nUsers of laminas/laminas-diactoros can make use of the `Laminas\\Diactoros\\RequestFilter\\RequestFilterInterface` functionality in order to either (a) disable usage of the `X-Forwarded-*` headers entirely, (b) opt-in to it, or (c) opt-in to the usage for configured proxy servers.\n\n### References\n\n- [HTTP Host Header Attacks](https://portswigger.net/web-security/host-header)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [laminas/laminas-diactoros](https://github.com/laminas/laminas-diactoros/)\n- [Email us](mailto:security@getlaminas.org)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31109","reference_id":"","reference_type":"","scores":[{"value":"0.00383","scoring_system":"epss","scoring_elements":"0.59987","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00383","scoring_system":"epss","scoring_elements":"0.5994","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31109"},{"reference_url":"https://github.com/advisories/GHSA-8274-h5jp-97vr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8274-h5jp-97vr"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laminas/laminas-diactoros/CVE-2022-31109.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laminas/laminas-diactoros/CVE-2022-31109.yaml"},{"reference_url":"https://github.com/laminas/laminas-diactoros","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laminas/laminas-diactoros"},{"reference_url":"https://github.com/laminas/laminas-diactoros/commit/25b11d422c2e5dad868f68619888763b30f91e2d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:53:07Z/"}],"url":"https://github.com/laminas/laminas-diactoros/commit/25b11d422c2e5dad868f68619888763b30f91e2d"},{"reference_url":"https://github.com/laminas/laminas-diactoros/releases/tag/2.11.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laminas/laminas-diactoros/releases/tag/2.11.1"},{"reference_url":"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-8274-h5jp-97vr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:53:07Z/"}],"url":"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-8274-h5jp-97vr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31109","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31109"},{"reference_url":"https://portswigger.net/web-security/host-header","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:53:07Z/"}],"url":"https://portswigger.net/web-security/host-header"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/149170?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jc36-p4jx-t3e1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.11.1"}],"aliases":["CVE-2022-31109","GHSA-8274-h5jp-97vr","GMS-2022-3226"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fr6v-6ctc-13aj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45027?format=json","vulnerability_id":"VCID-jc36-p4jx-t3e1","summary":"Improper Input Validation\nLaminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29530","reference_id":"","reference_type":"","scores":[{"value":"0.00671","scoring_system":"epss","scoring_elements":"0.71806","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29530"},{"reference_url":"https://github.com/laminas/laminas-diactoros","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laminas/laminas-diactoros"},{"reference_url":"https://github.com/laminas/laminas-diactoros/commit/7e721a60a09c5119c98694c2d23fc031094e1f1c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laminas/laminas-diactoros/commit/7e721a60a09c5119c98694c2d23fc031094e1f1c"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/","reference_id":"BPW54QK7ISDALPLP2CKODU4ZIVRYS336","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-12T17:05:24Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29530","reference_id":"CVE-2023-29530","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29530"},{"reference_url":"https://github.com/advisories/GHSA-wxmh-65f7-jcvw","reference_id":"GHSA-wxmh-65f7-jcvw","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-12T17:05:24Z/"}],"url":"https://github.com/advisories/GHSA-wxmh-65f7-jcvw"},{"reference_url":"https://github.com/advisories/GHSA-xv3h-4844-9h36","reference_id":"GHSA-xv3h-4844-9h36","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xv3h-4844-9h36"},{"reference_url":"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36","reference_id":"GHSA-xv3h-4844-9h36","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-12T17:05:24Z/"}],"url":"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64936?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.18.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64937?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.19.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.19.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64938?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.20.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.20.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64939?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.21.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.21.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64940?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.22.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.22.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64941?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.23.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.23.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64942?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.24.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.24.2"},{"url":"http://public2.vulnerablecode.io/api/packages/64943?format=json","purl":"pkg:composer/laminas/laminas-diactoros@2.25.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.25.2"}],"aliases":["CVE-2023-29530","GHSA-xv3h-4844-9h36"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jc36-p4jx-t3e1"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laminas/laminas-diactoros@2.1.3p2"}